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1001733 1-1 PATENT APPLICATION 

^ ELflb4i73^aDUS 



METHOD AND COMPUTER-READABLE MEDIUM FOR INTEGRATING A 
DECODE ENGINE WITH AN INTRUSION DETECTION SYSTEM 



TECHNICAL FIELD OF THE INVENTION 

This invention relates to network technologies and, more particularly, to a 
method and computer readable medium for integrating a decode engine with an 
intrusion detection system. 



CROSS-REFERENCE TO RELATED APPLICATIONS 

This patent application is related to co-pending U.S. Patent Application, Serial 

No. , entitled "METHOD AND COMPUTER READABLE MEDIUM 

M FOR SUPPRESSING EXECUTION OF SIGNATURE FILE DIRECTIVES DURING 

15 A NETWORK EXPLOIT," filed October 31, 2001, co-assigned herewith; U.S. Patent 

Application, Serial No. , entitled "SYSTEM AND METHOD OF 

DEFINING THE SECURITY CONDITION OF A COMPUTER SYSTEM," filed 
W October 31, 2001, co-assigned herewith; U.S. Patent Application, Serial No. 

■5 , entitled "SYSTEM AND METHOD OF DEFINING THE 

^ 20 SECURITY VULNERABILITIES OF A COMPUTER SYSTEM," filed October 31, 
2001, co-assigned herewith; U.S. Patent Application, Serial No. , 



entitled "SYSTEM AND METHOD OF DEFINING UNAUTHORIZED 
INTRUSIONS ON A COMPUTER SYSTEM," filed October 31, 2001, co-assigned 
herewith; U.S. Patent Application, Serial No. , entitled "NETWORK 

25 INTRUSION DETECTION SYSTEM AND METHOD," filed October 31, 2001, co- 
assigned herewith; U.S. Patent Application, Serial No. , entitled 

"NODE, METHOD AND COMPUTER READABLE MEDIUM FOR INSERTING 
AN INTRUSION PREVENTION SYSTEM INTO A NETWORK STACK," filed 
October 31, 2001, co-assigned herewitii; U.S. Patent Application, Serial No. 

30 , entitled "METHOD, COMPUTER-READABLE MEDIUM, AND 

NODE FOR DETECTING EXPLOITS BASED ON AN INBOUND SIGNATURE 
OF THE EXPLOIT AND AN OUTBOUND SIGNATURE EST RESPONSE 
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THERETO," filed October 31, 2001, co-assigned herewith; U.S. Patent Application, 

Serial No. , entitled "NETWORK, METHOD AND COMPUTER 

READABLE MEDIUM FOR DISTRIBUTED SECURITY UPDATES TO SELECT 
NODES ON A NETWORK," filed October 31, 2001, co-assigned herewith; U.S. 

5 Patent Application, Serial No. , entitled "METHOD, COMPUTER 

READABLE MEDIUM, AND NODE FOR A THREE-LAYERED INTRUSION 
PREVENTION SYSTEM FOR DETECTING NETWORK EXPLOITS," filed 
October 31, 2001, co-assigned herewith; U.S. Patait Application, Serial No. 

, entitled "SYSTEM AND METHOD OF AN OS-INTEGRATED 

10 INTRUSION DETECTION AND ANTI-VIRUS SYSTEM," filed October 31, 2001, 

co-assigned herewith; U.S. Patent Application, Serial No. , entitled 

"METHOD, NODE AND COMPUTER READABLE MEDIUM FOR 
IDENTIFYING DATA IN A NETWORK EXPLOIT," filed October 31, 2001, co- 

assigned herewith; U.S. Patent Application, Serial No. , entitled 

^' 15 "NODE, METHOD AND COMPUTER READABLE MEDIUM FOR OPTIMIZING 
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PERFORMANCE OF SIGNATURE RULE MATCHING IN A NETWORK," filed 
October 31, 2001, co-assigned herewith; U.S. Patent Application, Serial No. 

, entitled "METHOD, NODE AND COMPUTER READABLE 

MEDIUM FOR PERFORMING MULTIPLE SIGNATURE MATCHING EST AN 

20 INTRUSION PREVENTION SYSTEM," filed October 31, 2001, co-assigned 

herewith; U.S. Patent Application, Serial No. , entitled "USER 

INTERFACE FOR PRESENTING DATA FOR AN INTRUSION PROTECTION 
SYSTEM," filed October 31, 2001, co-assigned herewith; U.S. Patent AppHcation, 
Serial No. , entitled "NODE AND MOBILE DEVICE FOR A 

25 MOBILE TELECOMMUNICATIONS NETWORK PROVIDING INTRUSION 
DETECTION," filed October 31, 2001, co-assigned herewitii; U.S. Patent 

Application, Serial No, , entitled "SYSTEM AND METHOD OF 

GRAPHICALLY DISPLAYING DATA FOR AN INTRUSION PROTECTION 
SYSTEM," filed October 31, 2001, co-assigned herewith; and U.S. Patent 

30 AppUcation, Serial No. , entitled "SYSTEM AND METHOD OF 
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GRAPHICALLY CORRELATING DATA FOR AN INTRUSION PROTECTION 
SYSTEM," filed October 31, 2001, co-assigned herewith. 

BACKGROUND OF THE INVENTION 

Network-exploit attack tools, such as denial-of-service (DoS) attack utilities, 
are becoming increasing sophisticated and, due to evolving technologies, simple to 
execute. Relatively imsophisticated attackers can arrange, or be involved in^ computer 
system compromises directed at one or more targeted facilities. A network system 
attack (also referred to herein as an intrusion) is an unauthorized or malicious use of a 
computer or computer network and may involve hundred or thousands of unprotected, 
or alternatively compromised, Internet nodes together in a coordinated attack on one 
or more selected targets. 

Network attack tools based on the client/server model have become a preferred 
mechanism for executing network attacks on targeted networks or devices. High 
capacity machines in networks having deficient security are often desired by attackers 
to launch distributed attacks therefrom. University servers typically feature high 
connectivity and capacity but relatively mediocre security. Such networks also often 
have inexperienced or overworked network administrators making them even more 
vulnerable for involvement in network attacks. 

Network-exploit attack tools, comprising hostile attack applications such as 
denial-of-service (DoS) utilities, responsible for transmitting data across a network 
medium will often have a distinctive "signature," or recognizable pattern within the 
transmitted data. The signature may comprise a recognizable sequence of particular 
packets and/or recognizable data that is contained within one or more packets. 
Signature analysis is often performed by a network intrusion prevention system (IPS) 
and may be implemented as a pattern-matching algorithm and may comprise other 
signature recognition capabilities as well as higher-level application monitoring 
utilities. A simple signature analysis algorithm may search for a particular string that 
has been identified as associated with a hostile application. Once the string is 
identified within a network data stream, the one or more packets carrying the string 
may be identified as "hostile," or exploitative, and the IPS may then perform any one 
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or more of a number of actions, such as logging the identification of the frame, 
performing a countermeasure, or performing another data archiving or protection 
measure, 

hitmsion prevention systems (IPS) encompass technology that attempts to 
5 identify exploits against a computer system or network of computer systems. 
Numerous types of ff Ss exist and each are generally classified as eith^ a network- 
based, host-based, or node-based IPS. 

Network-based IPS appliances are typically dedicated systems placed at 
strategic places on a network to examine data packets to determine if they coincide 
10 with known attack signatures. To compare packets with known attack signatures, 
network-based IPS apphances utilize a mechanism referred to as passive protocol 
analysis to inconspicuously monitor, or "sniff," all traffic on a network and to detect 
low-level events that may be discerned from raw network traffic. Network exploits 



^ may be detected by identifying patterns or other observable characteristics of network 

s 15 frames. Network-based IPS apphances examine the contents of data packets by 
^ parsing network frames and packets and analyzing individual packets based on the 

j^i protocols used on the network. A network-based EPS appliance inconspicuously 

monitors network traffic inconspicuously, i.e., other network nodes may be, and often 
are, unaware of the presence of the network-based IPS appliance. Passive monitoring 
20 is normally performed by a network-based IPS appliance by implementation of a 
"promiscuous mode" access of a network interface device. A network interface 
device operating in promiscuous mode copies packets directly from the network 
media, such as a coaxial cable, lOObaseT or other transmission medium, regardless of 
the destination node to which the packet is addressed. Accordingly, there is no simple 
25 method for transmitting data across the network transmission medium without the 
network-based IPS appliance examining it and thus the network-based IPS appliance 
may capture and analyze all network traffic to which it is exposed. Upon 
identification of a suspicious packet, i.e., a packet that has attributes corresponding to 
a known attack signature monitored for occurrence by the network-based IPS 
30 appliance, an alert may be generated thereby and transmitted to a management module 
of the IPS so that a networking expert may implement security measures. Network- 
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based BPS appliances have the additional advantage of operating in real-time and thus 
can detect an attack as it is occurring. Moreover, a network-based IPS appliance is 
ideal for implementation of a state-based IPS security measure that requires 
accumulation and storage of identified suspicious packets of attacks that may not be 
5 identified "atomically," that is by a single network packet. For example, transmission 
control protocol (TCP) synchronization (SYN) flood attacks are not identifiable by a 
single TCP SYN packet but rather are generally identified by accumulating a count of 
TCP SYN packets that exceed a predefined threshold over a defined period of time. A 
network-based JPS appliance is therefore an ideal platform for implementing state- 
10 based signature detection because the network-based DPS appliance may collect all 
O such TCP SYN packets that pass over the local network media and thus may properly 

g archive and analyze the fi*equency of such events. 

However, network-based IPS appliances may often generate a large number of 
"false positives/' i,e., incorrect diagnoses of an attack. False positive diagnoses by 
15 network-based IPS appliances result, in part, due to errors generated during passive 
analysis of all the network traffic captured by the IPS that may be encrypted and 
formatted in any number of network supported protocols. Content scanning by a 
network-based IPS is not possible on an encrypted link although signature analysis 
based on protocol headers may be performed regardless of whether the link is 
20 encrypted or not. Additionally, network-based TPS appUances are often ineffective in 
high speed networks. As high speed networks become more commonplace, software- 
based network-based IPS appliances that attempt to sniff all packets on a link will 
become less reliable. Most critically, network-based IPS appliances can not prevent 
attacks xmless integrated with, and operated in conjunction with, a firewall protection 
25 system. 

Host-based IPSs detect intrusions by monitoring application layer data. Host- 
based IPSs employ intelligent agents to continuously review computer audit logs for 
suspicious activity and compare each change in the logs to a library of attack 
signatures or user profiles. Host-based IPSs may also poll key system files and 
30 executable files for unexpected changes. Host-based IPSs are referred to as such 
because the IPS utilities reside on the system to which they are assigned to protect. 
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Host-based IPSs typically employ application-level monitoring techniques that 
examine apphcation logs maintained by various applications. For example, a host- 
based IPS may monitor a database engine that logs failed access attempts and/or 
modifications to system configurations. Alerts may be provided to a management 
node upon identification of events read fi:om the database log that have been identified 
as suspicious. Host-based IPSs, in general, generate very few false-positives. 
However, host-based IPS such as log-watchers are generally limited to identifying 
intrusions that have already taken place and are also limited to events occurring on the 
single host. Because log-watchers rely on monitoring of application logs, any damage 
resulting fi-om the logged attack will generally have taken place by the time the attack 
has been identified by the ffS. Some host-based IPSs may perform intrusion- 
preventative fiinctions such as 'hooking' or 'intercepting' operating system 
application programming interfaces to facilitate execution of preventative operations 
by an DPS based on application layer activity that appears to be intrusion-related. 
Because an intrusion detected in this maimer has already bypassed any lower level 
IPS, a host-based IPS represents a last layer of defense against network exploits. 
However, host-based systems are of little use for detecting low-level network events 
such as protocol events. 

Node-based IPSs apply the intrusion detection and/or prevention technology 
on the system being protected. An example of node-based IPS technologies is inline 
intrusion detection, A node-based IPS may be implemented at each node of the 
network that is desired to be protected. Inline IPSs comprise intrusion detection 
technologies embedded in the protocol stack of the protected network node. Because 
the inline IPS is embedded within the protocol stack, both inbound and outbound data 
will pass througji, and be subject to monitoring by, the inline IPS. An inhne IPS 
overcomes many of the inherent weaknesses of network-based solutions. As 
mentioned hereinabove, network-based solutions are generally ineffective when 
monitoring high-speed networks due to the fact that network-based solutions attempt 
to monitor aU network traffic on a given link. Inline intrusion prevention systems, 
however, only monitor traffic directed to the node on which the inline IPS is installed. 
Thus, attack packets can not physically bypass an inline IPS on a targeted machine 
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because the packet must pass through the protocol stack of the targeted device. Any 
bypassing of an inline IPS by an attack packet must be done entirely by 'logically* 
bypassing the IPS, i.e., an attack packet that evades an inline IPS must do so in a 
manner that causes the inline IPS to fail to identify, or improperly identify, the attack 
packet. Additionally, inline IPSs provide the hosting node with low-level monitoring 
and detection capabilities similar to that of a network IPS and may provide protocol 
analysis and signature-matching or other low-level monitoring or filtering of host 
traffic. The most significant advantage offered by inline IPS technologies is that 
attacks are detected as they occur. Whereas host-based IPSs determine attacks by 
monitoring system logs, inline intrusion detection involves monitoring network traffic 
and isolating those packets that are determined to be part of an attack against the 
hosting server and thus enabling the inline IPS to actually prevent the attack fi*om 
succeeding. When a packet is determine to be part of an attack, the inhne IPS layer 
may discard the packet thus preventing the packet from reaching the upper layer of the 
protocol stack where damage may be caused by the attack packet - an effect that 
essentially creates a local firewall for the server hosting the inline IPS and protecting 
it Scorn threats coming either firom an external network, such as the Internet, or firom 
within the network. Furthermore, the inhne IPS layer may be embedded within the 
protocol stack at a layer where packets have been imencrypted so that the inhne IPS is 
effective operating on a network with encrypted links. Additionally, inline IPSs can 
monitor outgoing traffic because both inbound and outbound traffic respectively 
destined to and originating from a server hosting the inline IPS must pass through the 
protocol stack. 

Although the advantages of inline IPS technologies are numerous, there are 
drawbacks to implementing such a system. Inline intrusion detection is generally 
processor intensive and may adversely effect the node's performance hosting the 
detection utihty. Additionally, inhne IPSs may generate numerous false positive 
attack diagnoses. Furthermore, inline IPSs cannot detect systematic probing of a 
network, such as performed by reconnaissance attack utiUties, because only traffic at 
the local server hosting the inline IPS is monitored thereby. 
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Each of network-based, host-based and inline-based IPS technologies have 
respective advantages as described above. Ideally, an intrusion prevention system will 
incorporate all of the aforementioned intrusion detection strategies. Additionally, an 
IPS may comprise one or more event generation mechanisms that report identifiable 
events to one or more management facihties. An event may comprise an identifiable 
series of system or network conditions or it may comprise a single identified 
condition. An IPS may also comprise an analysis mechanism or module and may 
analyze events generated by the one or more event generation mechanisms. A storage 
module may be comprised within an IPS for storing data associated with intrusion- 
related events. A countermeasure mechanism may also be comprised within the IPS 
for executing an action intended to thwart, or negate, a detected exploit. 

Applications that employ what is commonly referred to as a decode engine are 
typically maintained at a management node of a network employing an intrusion 
detection system. As intrusions are detected, the network firame data and other data 
associated with the intrusion may be captured and stored where the decode engine is 
later used to decode the raw network traffic into a form suitable for analysis. Typical 
decode engines are operable to decode hundreds of network protocols and often 
employ graphic utilities for formatting the captured data in a user-fiiendly format. 
However, implementation of a decode engine at a central location consumes valuable 
processing resources of the centrally located node employing the decode engine. 

SUMMARY OF THE INVENTION 

In accordance with an embodiment of the present invention, a method of 
detecting network-intrusions at a node of a network comprising identifying a fi-ame as 
an intrusion by an intrusion detection application, archiving event-data associated with 
the fi*ame, and decoding the event-data by a decode engine, Ihe decode engine 
integrated within the intrusion detection appUcation is provided. 

In accordance with another embodiment of the present invention, a computer- 
readable medium having stored thereon a set of instructions to be executed, the set of 
instructions, when executed by a processor, cause the processor to perform a computer 
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method of identifying, by an intrusion detection application, a frame of data as 
intrusion-related, and decoding the intrusion-related data. 

BRIEF DESCRIPTION OF THE DRAWINGS 

For a more complete understanding of the present invention, the objects and 
advantages thereof, reference is now made to the following descriptions taken in 
connection with the accompanying drawings in which; 

FIGURE 1 illustrates an exemplary arrangement for executing a computer 
system compromise as is known in the art; 

FIGURE 2 illustrates a comprehensive intrusion prevention system employing 
network-based and hybrid host-based and node based intrusion detection technologies 
according to an embodiment of the invention; 

FIGURE 3 is an exemplary network protocol stack according to the prior art; 

FIGURE 4 illustrates a network node that may run an instance of an intrusion 
protection system application according to an embodiment of the present invention; 

FIGURE 5 illustrates an exemplary network node that may operate as a 
management node within a network protected by the intrusion protection system 
according to an embodiment of the present invention; 

FIGURE 6 illustrates an exemplary protocol stack having an intrusion 
protection system apphcation inserted therein and that may incorporate a decode 
engine according to an embodiment of the present invention; and 

FIGURE 7 is a decode engine schematic illustrating a decode engine integrated 
with an intrusion detection application according to an embodiment of the present 
invention. 

DETAILED DESCRIPTION OF THE DRAWINGS 

The preferred embodiment of the present invention and its advantages are best 
understood by referring to FIGURES 1 through 7 of the drawings, like nxmierals being 
used for like and corresponding parts of the various drawings. 
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In FIGURE 1, there is illustrated an exemplary arrangement for executing a 
computer system compromise - the illustrated example showing a simphfied 
distributed intrusion network 40 arrangement typical of distributed system attacks 
directed at a target machine 30. An attack machine 10 may direct execution of a 
distributed attack by any number of attack agents 20A-20N by one of numerous 
techniques such as remote control by IRC "robot" appUcations. Attack agents 20A- 
20N, also referred to as "zombies" and "attack agents," are generally computers that 
are available for public use or that have been compromised such that a distributed 
attack may be launched upon command of an attack machine 10, Numerous types of 
distributed attacks may be launched against a target machine 30. The target machine 
30 may suffer extensive damage from simultaneous attack by attack agents 20A-20N 
and the att:ack agents 20A-20N may be damaged from the client attack application as 
well. A distributed intrusion network may comprise an additional layer of machines 
involved in an attack intermediate the attack machine 10 and attack agents 20A-20N, 
These intermediate machines are commonly referred to as "handlers" and each handler 
may control one or more attack agents 20A-20N. The arrangement shown for 
executing a computer system compromise is illustrative only and may compromise 
numerous arrangements that are as simple as a single attack machine 10 attacking a 
target machine 30 by, for example, sending malicious probe packets or other data 
intended to compromise target machine 30. Target machine may be, and often is, 
connected to a larger network and access thereto by attack machine 10 may cause 
damage to a large collection of computer systems commonly located within the 
network. 

In FIGURE 2, there is illustrated a comprehensive intrusion prevention system 
employing network-based and hybrid host-based/node-based intrusion detection 
technologies according to an embodiment of the invention. One or more networks 
100 may interface with the Internet 50 via a router 45 or other device. In the 
illustrative example, two Ethernet networks 55 and 56 are comprised in network 100. 
Ethernet network 55 comprises a web-content server 270A and a file transport 
protocol- content server 270B. Ethemet network 56 comprises a domain name server 
270C, a mail server 270D, a database sever 270E and a file server 270F. A 
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firewall/proxy router 60 disposed intermediate Ethernets 55 and 56 provides security 
and address resolution to the various systems of network 56. A network-based IPS 
appliance 80 and 8 1 is respectively implemented on both sides of firewall/proxy router 
60 to facilitate monitoring of attempted attacks against one or more elements of 
Ethernets 55 and 56 and to facilitate recording successful attacks that successfully 
penetrate firewall/proxy router 60. Network-based IPS apphances 80 and 81 may 
respectively comprise (or alternatively be connected to) a database BOA and 81 A of 
known attack signatures, or rules, against which network frames captured thereby may 
be compared. Alternatively, a single database (not shown) may be centrally located 
within network 100 and maybe accessed by network-based IPS appliances 80 and 81. 
Accordingly, network-based IPS appliance 80 may monitor all packets inbound from 
Internet 50 to network 100 arriving at Ethernet network 55. Similarly, a network- 
based IPS apphance 81 may monitor and compare all packets passed by firewall/proxy 
router 60 for delivery to Ethernet network 56. An IPS management node 85 may also 
be part of network 100 to facilitate configuration and management of the IPS 
components in network 100. 

In view of the above-noted deficiencies of network-based intrusion prevention 
systems, a hybrid host-based and node-based intrusion prevention system is preferably 
implemented within each of the various nodes, such as servers 270A-270N (also 
referred to herein as "nodes"), of Etiiemet networks 55 and 56 in tiie secured network 
100. Management node 85 may receive alerts from respective nodes wilhin network 
100 upon detection of an intrusion event by any one of the network-based IPS 
apphances 80 and 81 as well as any of the nodes of network 100 having a hybrid 
agent-based and node-based IPS implemented thereon. Additionally, each node 
270A-270F may respectively employ a local file system for archiving intrusion-related 
events, graierating intrusion-related reports, and storing signature files against which 
local network firames and/or packets are examined. 

Preferably, network-based IPS apphances 80 and 81 are dedicated entities for 
monitoring network traffic on associated Ethernets 55 and 56 of network 100. To 
facilitate intrusion detection in high speed networks, network-based IPS apphances 80 
and 81 preferably comprise a large capture RAM for capturing packets as they arrive 
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on respective Ethernet networks 55 and 56. Additionally, it is preferable that 
network-based IPS appliances 80 and 81 respectively comprise hardware-based filters 
for filtering network traffic, although IPS filtering by network-based IPS appliances 
80 and 81 maybe implemented in software. Moreover, network-based IPS appliances 
80 and 81 may be configured, for example by demand of BPS management node 85, to 
monitor one or more specific devices rather than all devices on a common network. 
For example, network-based IPS apphance 80 may be directed to monitor only 
network data traffic addressed to web server 270A. 

Hybrid host-based/node-based intrusion prevention system technologies may 
be implemented on all nodes 270A-270N on Ethernet networks 55 and 56 that may be 
targeted by a network attack. In general, each node is comprised of a reprogrammable 
computer having a central processing unit (CPU), a memory module operable to store 
machine-readable code that is retrievable and executable by the CPU, and may fiirther 
comprise various peripheral devices, such as a display monitor, a keyboard, a mouse 
or another device, connected thereto. A storage media, such as a magnetic disc^ an 
optical disc or another component operable to store data, may be connected to 
memory module and accessible thereby and may provide one or more databases for 
archiving local intrusion events and intrusion event reports. An operating system may 
be loaded into memory module, for example upon bootup of the respective node, and 
comprises an instance of a protocol stack as well as various low-level software 
modules required for tasks such as interfacing to peripheral hardware, scheduling of 
tasks, allocation of storage as well as other system tasks. Each node protected by the 
hybrid host-based and node-based IPS of the present invention accordingly has an IPS 
software application maintained within the node, such as in a magnetic hard disc, that 
is retrievable by the operating system and executable by the central processing unit. 
Additionally, each node executing an instance of the IPS application has a local 
database firom which signature descriptions of documented attacks may be fetched 
firom storage and compared with a packet or frame of data to detect a correspondence 
therebetween. Detection of a correspondence between a packet or fi^ame at an IDS 
server may result in execution of any one or more of various security procedures. 



10017331-1 



PATENT APPLICATION 

13 



The IPS described with reference to FIGURE 2 may be implemented on any 
number of platforms. Each hybrid host-based/node-based instance of the IPS 
appUcation described herein is preferably implemented on a network node, such as 
web server 270A operated under control of an operating system, such as Windows NT 
4.0 that is stored in a main memory and running on a central processing unit, and 
attempts to detect attacks targeted at the hosting node. The particular network 100 
illustrated in FIGURE 2 is exemplary only and may comprise any number of network 
servers. Corporate, and other large scale, networks may typically comprise numerous 
individual systems providing similar services. For example, a corporate network may 
comprise hundreds of individual web servers, mail servers, FTP servers and other 
systems providing common data services. 

Each operating system of a node incorporating an instance of an IPS 
appUcation additionally comprises a network protocol stack 90, as illustrated in 
FIGURE 3, that defines the entry point for frames received by a targeted node from 
the network, e.g. the Intemet or Intranet, Network stack 90 as illustrated is 
representative of the well-known WindowsNT (TM) system network protocol stack 
and is so chosen to facilitate discussion and understanding of the invention. However, 
it should be understood that the invention is not limited to a specific implementation 
of the illustrated network stack 90 but, rather, stack 90 is described to facilitate 
understanding of the invention. Network stack 90 comprises a transport driver 
interface (TDI) 125, a transport driver 130, a protocol driver 135 and a media access 
control (MAC) driver 145 that interfaces with the physical media 101. Transport 
driver interface 125 functions to interface the transport driver 130 with higher-level 
file system drivers. Accordingly, TDI 125 enables operating system drivers, such as 
network redirectors, to activate a session, or bind, with the appropriate protocol driver 
135. Accordingly, a redirector can access the appropriate protocol, for example UDP, 
TCP, NetBEUI or other network or transport layer protocol, thereby making the 
redirector protocol-independent. The protocol driver 135 creates data packets that are 
sent from the computer hosting the network protocol stack 90 to another computer or 
device on the network or another network via the physical media 101. Typical 
protocols supported by an NT network protocol stack comprise NetBEUI, TCP/IP, 
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NWLink, Data Link Control (DLC) and AppleTalk although other transport and/or 
network protocols may be comprised. MAC driver 145, for example an Ethemet 
driver, a token ring driver or other networking driver, provides appropriate formatting 
and interfacing with the physical media 101 such as a coaxial cable or another 
transmission medium. 

The capabilities of the host-based DPS comprise application monitoring of: file 
system events; registy access; successful security events; failed security events and 
suspicious process monitoring. Network access applications, such as Microsoft IIS 
and SQL Server, may also have processes related thereto monitored. 

Intrusions may be prevented on a particular IPS host by implementation of 
inline, node-based monitoring technologies. The inline-IPS is preferably comprised as 
part of a hybrid host-based/node-based IPS although it may be implemented 
independently of any host-based IPS system. The inline-IPS will analyze packets 
received at the hosting node and perform signature analysis thereof against a database 
of known signatures by network layer filtering. 

In FIGURE 4, there is illustrated a network node 270 that may run an instance 
of an IPS application 91 and thus operate as an IPS server. IPS application 91 maybe 
implemented as a three-layered IPS, as described in co-pending application entitled 
'TVlethod and Computer Readable Medium for a Three-Layered Intrusion Prevention 
System for Detecting Network Exploits" and filed concurrently herewith, and may 
comprise a server appUcation and/or a client application. Network node 270, in 
general, comprises a central processing unit (CPU) 272 and a memory module 274 
operable to store machine-readable code that is retrievable and executable by CPU 
272 via a bus (not shown). A storage media 276, such as a magnetic disc, an optical 
disc or anoflier component operable to store data, may be connected to memory 
module 274 and accessible thereby by the bus as well. An operating system 275 may 
be loaded into memory module 274, for example upon bootup of node 270, and 
comprises an instance of protocol stack 90 and may have an intrusion prevention 
system appUcation 91 loaded from storage media 276. One or more network exploit 
rules, an exemplary form described in co-pending appUcation entitled "Method, Node 
and Computer Readable Medium for Identifying Data in a Network Exploit" and filed 



10017331-1 



PATENT APPLICATION 

15 



concurrently herewith, may be compiled into a machine-readable signature(s) and 
stored within a database 277 that is loadable into memory modxile 274 and may be 
retrieved by IPS appUcation 91 for facilitating analysis of network frames and/or 
packets. 

In FIGURE 5, there is illustrated an exemplary network node that may operate 
as a management node 85 of the IPS of a network 100. Management node 85, in 
general, comprises a CPU 272 and a memory module 274 operable to store machine- 
readable code that is retrievable and executable by CPU 272 via a bus (not shown). A 
storage media 276, such as a magnetic disc, an optical disc or another component 
operable to store data, may be comiected to memory module 274 and accessible 
thereby by the bus as well. An operating system 275 may be loaded into memory 
module 274, for example upon bootup of node 85, and comprises an instance of 
protocol stack 90, Operating system 275 is operable to fetch an IPS management 
application 279 from storage media 276 and load management application 279 into 
memory module 274 where it may be executed by CPU 272. Node 85 preferably has 
an input device 281, such as a keyboard, and an output device 282, such as a monitor, 
connected thereto. 

An operator of management node 85 may input one or more text-files 277A- 
277N via input device 281. Each text-file 277A-277N may define a network-based 
exploit and comprise a logical description of an attack signature as well as IPS 
directives to execute upon an IPS evaluation of an intrusion-related event associated 
with the described attack signature. Each text file 277A-277N may be stored in a 
database 278A on storage media 276 and compiled by a compiler 280 into a respective 
machine-readable signature file 281A-281N that is stored in a database 278B. Each of 
the machine-readable signature files 281A-281N comprises binary logic representative 
of the attack signature as described in the respectively associated text-file 277A-277N. 
An operator of management node 85 may periodically direct management node 85, 
through interaction with a client appUcation of IPS application 279 via input device 
281, to transmit one or more machine-readable signature files (also generally referred 
to herein as "signature files") stored in database 278B to a node, or a plurahty of 
nodes, in network 100. Alternatively, signature files 281A-281N may be stored on a 
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computer-readable medium, such as a compact disk, magnetic floppy disk or another 
portable storage device, and installed on node 270 of network 100. Application 279 is 
preferably operable to transmit all such signature-files 281A-281N, or one or more 
subsets thereof, to a node, or a plurality of nodes, in network 100. Preferably, IPS 
application 279 provides a graphical user interface on output device 282 for 
facilitating input of commands thereto by an operator of node 85. 

Numerous network analysis tools exist and often employ various network 
capture and/or decode technologies. Network capture systems are responsible for 
reading and recording network traffic that may be valuable for network performance 
analysis, such as for performing an analysis of a network attack. Captured data may 
be viewed offline and, in some network capture systems, in real-time. Capture 
systems may employ pre-capture filters to reduce the amount of data that is captured 
by the capture system. "Triggers" may be employed that initiate or halt network 
capture. Exemplary triggers include pattem-matching triggers, layer 2 and layer 3 
errors such as checksum errors and threshold triggers such as latency triggers that 
initiate capture of network traffic when a network transmission latency parameter falls 
below a predefined threshold. 

A protocol decode engine is often utilized in conjunction with a network 
capture system and facilitates efficient analysis of the information obtained by the 
network capture system. A decode engine is a software application that reads raw 
network data, such as binary streams captured off an Ethernet, and converts the 
captured data into a format suitable for viewing and analysis by a network manager or 
security personnel. Modem protocol decode engines include graphical utilities and 
may distinguish between and decode hundreds of network protocols. A protocol 
decode engine may parse packets of captured network frames and allow selection and 
display of specific parts of captured data, such as display of TCP packet headers or 
one or more fields of headers of captured network traffic or display of specific 
message types of a particular protocol that allows an administrator thereof to quickly 
sift through and more easily obtain useful information from what is often massive 
quantities of raw data captured from a network capture system. 
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The present invention provides a decode engine that is integrated within IPS 
application 91 that simplifies interpretation of intrusion-related network traffic. With 
reference to FIGURE 6, there is illustrated an exemplary protocol stack 90A having an 
Intrusion protection system application inserted therein as described in the 
abovementioned co-pending application. Network stack 90A comprises TDI 125, 
transport driver 130, protocol driver 135 and media access control (MAC) driver 145 
that interfaces with the physical media 101. Network stack 90A additionally may 
comprise a dynamically linked library 115 that allows a plurality of subroutines to be 
accessed by apphcations 105 and 110 and facilitates linking with other appUcations of 
appUcation layer 112 thereby. Dynamically linked library 115 may alternatively be 
omitted and the functionality thereof may be incorporated into the operating system. 

The present invention incorporates a decode engine 450, as illustrated in 
FIGURE 7, into IPS application service provider 110, also referred to as an IPS server, 
of IPS appUcation 91. IPS appUcation 91 may be implemented as a three-layered IPS 
application additionally comprising transport service provider 120 and network filter 
service provider 140. IPS application service provider 110 comprises an event viewer 
application 410, a report viewer application 420, a report server application 415 and 
an event-database 405. An IPS network filter service provider 140 implemented as an 
intermediate driver bound to MAC driver 145 and protocol driver 135 of network 
stack 90A comprises an event manager 147B and an associative process engine 147C. 
Associative process engine 147C employs signature-matching technologies, such as 
pattern-matching, and is operable to identify network fi*ames and packets having 
signatures corresponding to one or more signatxires logically defined in machine- 
readable signature files maintained in signature database 277. Upon detection of a 
correspondence of a network fi-ame or packet and a machine-readable signature file of 
database 277, the occurrence thereof may be provided to event manger 147B. 
Network filter service provider 140 may execute one or more of a pluraUty of 
directives specified by the machine-readable signature file(s) having a correspondence 
with the network fi^me or packet. For example, network filter service provider 140 
may direct archiving of the identified frame or packet, execution of a countermeasure 
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such as closing of a network port, invocation of transmission of a report to a 
management node 85 or execution of another security measure. 

Upon detection of an intrusion-event by associative process engine 147C, 
event manager 147B provides an indication of the occurrence of the intrusion event to 
IPS application service provider 110 and preferably logs the event in event-database 
405. Event logging may include writing a copy of the network frame or packet 
identified in the intrusion event, reporting an indication of the signature file(s), such 
as a signature file identification index, determined to have a correspondence with the 
identified frame or packet, date time stamping information regarding the event, 
indexing the event with an event number, as well as logging other intrusion event 
information that may be obtained from network filter service provider 90A. 

Event viewer application 410 is operable to retrieve event-data archived in 
event-database 405 and submit the retrieved data to decode application 450. Decoded 
event-data may then be returned to event viewer 410 where it is accessible by a cUent 
IPS application 1 1 1 that may display the decoded data, for example on a graphical 
user interface 113, provided by cUent IPS appUcation 111 on a peripheral monitor. 
Decode application 450 preferably comprises a decode engine 430 and a decode 
server 425. Decode server 425 provides event-data that may be logged in event- 
database 405 to decode engine 430. Decode engine 430 preferably comprises logic 
for interpreting raw network data, such as binary streams of a network frame captured 
off an Ethernet by network filter service provider 140, and converting the network 
data into a format suitable for viewing and for facilitating analysis thereof by a 
network manager or security personnel. Decode engine 430 may distinguish between 
a plurality of network protocols and may parse packets of captured network frames 
and provide interpretations of specific parts thereof, such as evaluation of TCP packet 
headers or one or more fields of headers of captured network packets, evaluation of 
specific message types of a particular protocol that allows an administrator to quickly 
analyze the network fi-ame, and may perform otiier interpretive fimctions of the 
captured network traffic stored in event-database 405. 

Decode server appUcation 425 may receive the decoded event-data provided 
by decode engine 430 and supply the decoded event-data to event viewer appUcation 
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410 and/or a report server application 420. Event viewer application 410 may be 
interrogated by client IPS application 111 for the decoded data associated with a 
particular intrusion-event. In response to a client interrogation, event viewer may 
retrieve the subject event-data from event-database 405 and submit the event-data to 
decode appUcation 450. Decoded event-data returned to event viewer 410 may then 
be suppUed to client IPS application 1 1 1 in response to the interrogation submitted by 
chent IPS application 111. 

Report viewer 420 may likewise obtain event-data from event-database 405 
and submit the event-data to decode application 450 for interpretation thereof Report 
server may request a plurality of data files regarding a plurality of intrusion-events 
stored in event-database 405. A pluraUty of event-data files obtained from event- 
database may then be submitted to decode engine 430 for interpretation thereof Upon 
interpretation of the intrusion-events, the interpreted data representative of a plurality 
of events is submitted to report server 415 where it may be compiled into a report 
documenting various aspects of the plurality of events. The report may be archived in 
report database 416. Generation of reports may be initiated by a request from client 
IPS appUcation 1 1 1 submitted to report viewer 420 that submits the request as a query 
to report server 415. A report request &om client IPS application 111 may specify a 
query for a report having information on events having common properties, such as a 
common type of attack. Other report queries may specify a request for any events 
occurring during a specified period of time. In general, a report query issued from 
client IPS application 1 1 1 may comprise any query function that may be used to 
interrogate event-database 405 and accordingly, may included report queries 
requesting a report containing event specific data, events resulting from network 
frame matches with one or more particular signature IDs, events occurring during 
specified periods of time, specific event numbers, or a range of specific event 
numbers, as well as specifications of any other data that may be logged with event- 
data in event-database 405. 



